Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
PrivApolloSecret Ballot E2E-V Internet Voting
Hua Wu, Poorvi Vora, Filip Zagorski
Voting’19
Agenda
1 Intro
2 Related workBenaloh’s SVEHeliosApollo
3 PrivApolloVoter experienceEncoding
End-to-end verifiability
• How can one ensure integrity of traditional elections?
• Observe
• How can one ensure integrity of electronic elections?
• Verify
• What shall we verify? Source code? Servers, clients?
• R. L. Rivest, J. Wack, Software Independence: A votingsystem is software-independent if an undetected change orerror in its software cannot cause an undetectable change orerror in an election outcome.
• S. Popoveniuc, J. Kelsey, A. Regenscheid, P. Vora.Performance Requirements for End-to-End VerifiableElections. EVT/WOTE 2010.
• R. Kusters, T. Truderung, A. Vogt, Accountability:definition and relationship to verifiability, CCS 2010.
End-to-end verifiability
• How can one ensure integrity of traditional elections?• Observe
• How can one ensure integrity of electronic elections?
• Verify
• What shall we verify? Source code? Servers, clients?
• R. L. Rivest, J. Wack, Software Independence: A votingsystem is software-independent if an undetected change orerror in its software cannot cause an undetectable change orerror in an election outcome.
• S. Popoveniuc, J. Kelsey, A. Regenscheid, P. Vora.Performance Requirements for End-to-End VerifiableElections. EVT/WOTE 2010.
• R. Kusters, T. Truderung, A. Vogt, Accountability:definition and relationship to verifiability, CCS 2010.
End-to-end verifiability
• How can one ensure integrity of traditional elections?• Observe
• How can one ensure integrity of electronic elections?
• Verify
• What shall we verify? Source code? Servers, clients?
• R. L. Rivest, J. Wack, Software Independence: A votingsystem is software-independent if an undetected change orerror in its software cannot cause an undetectable change orerror in an election outcome.
• S. Popoveniuc, J. Kelsey, A. Regenscheid, P. Vora.Performance Requirements for End-to-End VerifiableElections. EVT/WOTE 2010.
• R. Kusters, T. Truderung, A. Vogt, Accountability:definition and relationship to verifiability, CCS 2010.
End-to-end verifiability
• How can one ensure integrity of traditional elections?• Observe
• How can one ensure integrity of electronic elections?• Verify
• What shall we verify? Source code? Servers, clients?
• R. L. Rivest, J. Wack, Software Independence: A votingsystem is software-independent if an undetected change orerror in its software cannot cause an undetectable change orerror in an election outcome.
• S. Popoveniuc, J. Kelsey, A. Regenscheid, P. Vora.Performance Requirements for End-to-End VerifiableElections. EVT/WOTE 2010.
• R. Kusters, T. Truderung, A. Vogt, Accountability:definition and relationship to verifiability, CCS 2010.
End-to-end verifiability
• How can one ensure integrity of traditional elections?• Observe
• How can one ensure integrity of electronic elections?• Verify
• What shall we verify? Source code? Servers, clients?
• R. L. Rivest, J. Wack, Software Independence: A votingsystem is software-independent if an undetected change orerror in its software cannot cause an undetectable change orerror in an election outcome.
• S. Popoveniuc, J. Kelsey, A. Regenscheid, P. Vora.Performance Requirements for End-to-End VerifiableElections. EVT/WOTE 2010.
• R. Kusters, T. Truderung, A. Vogt, Accountability:definition and relationship to verifiability, CCS 2010.
End-to-end verifiability
• How can one ensure integrity of traditional elections?• Observe
• How can one ensure integrity of electronic elections?• Verify
• What shall we verify? Source code? Servers, clients?• R. L. Rivest, J. Wack, Software Independence: A voting
system is software-independent if an undetected change orerror in its software cannot cause an undetectable change orerror in an election outcome.
• S. Popoveniuc, J. Kelsey, A. Regenscheid, P. Vora.Performance Requirements for End-to-End VerifiableElections. EVT/WOTE 2010.
• R. Kusters, T. Truderung, A. Vogt, Accountability:definition and relationship to verifiability, CCS 2010.
End-to-end verifiability
• How can one ensure integrity of traditional elections?• Observe
• How can one ensure integrity of electronic elections?• Verify
• What shall we verify? Source code? Servers, clients?• R. L. Rivest, J. Wack, Software Independence: A voting
system is software-independent if an undetected change orerror in its software cannot cause an undetectable change orerror in an election outcome.
• S. Popoveniuc, J. Kelsey, A. Regenscheid, P. Vora.Performance Requirements for End-to-End VerifiableElections. EVT/WOTE 2010.
• R. Kusters, T. Truderung, A. Vogt, Accountability:definition and relationship to verifiability, CCS 2010.
End-to-end verifiability
• How can one ensure integrity of traditional elections?• Observe
• How can one ensure integrity of electronic elections?• Verify
• What shall we verify? Source code? Servers, clients?• R. L. Rivest, J. Wack, Software Independence: A voting
system is software-independent if an undetected change orerror in its software cannot cause an undetectable change orerror in an election outcome.
• S. Popoveniuc, J. Kelsey, A. Regenscheid, P. Vora.Performance Requirements for End-to-End VerifiableElections. EVT/WOTE 2010.
• R. Kusters, T. Truderung, A. Vogt, Accountability:definition and relationship to verifiability, CCS 2010.
E2E Verifiability – intuition
• Cast as intended
• Recorded as cast
• Tallied as recorded
Basic Model of a Voter
The voter, V, is a human and is able to:
• read and compare short strings;
• choose a candidate to vote for;
• choose at random whether to cast or audit an encryption(Benaloh’s challenge)
• choose a random short string (this is required to secure theprotocol against clash-attacks, but low-entropy strings aresufficient—selected strings need to be unique only acrossvoting sessions active at that time).
Basic Model of a Voter
The voter, V, is a human and is able to:
• read and compare short strings;
• choose a candidate to vote for;
• choose at random whether to cast or audit an encryption(Benaloh’s challenge)
• choose a random short string (this is required to secure theprotocol against clash-attacks, but low-entropy strings aresufficient—selected strings need to be unique only acrossvoting sessions active at that time).
Basic Model of a Voter
The voter, V, is a human and is able to:
• read and compare short strings;
• choose a candidate to vote for;
• choose at random whether to cast or audit an encryption(Benaloh’s challenge)
• choose a random short string (this is required to secure theprotocol against clash-attacks, but low-entropy strings aresufficient—selected strings need to be unique only acrossvoting sessions active at that time).
Basic Model of a Voter
The voter, V, is a human and is able to:
• read and compare short strings;
• choose a candidate to vote for;
• choose at random whether to cast or audit an encryption(Benaloh’s challenge)
• choose a random short string (this is required to secure theprotocol against clash-attacks, but low-entropy strings aresufficient—selected strings need to be unique only acrossvoting sessions active at that time).
Benaloh’s challenge
• Simple Verifiable Elections
1 a voter V makes a choice Vx−→ M
2 a machine M:
1 generates randomness r2 prints encrypted ballot c := Enc(x , r)
3 the voter makes a decision:
Cast then V takes printout as a receipt,M sends c to BB,
Audit M prints r , V verifies, goes to the Step 1
• Properties:
1 cast as intended (Benaloh’s challange)2 recorded as cast (physical process e.g., in StarVote) and online
check with BB3 tallied as recorded
Benaloh’s challenge
• Simple Verifiable Elections
1 a voter V makes a choice Vx−→ M
2 a machine M:
1 generates randomness r2 prints encrypted ballot c := Enc(x , r)
3 the voter makes a decision:
Cast then V takes printout as a receipt,M sends c to BB,
Audit M prints r , V verifies, goes to the Step 1
• Properties:
1 cast as intended (Benaloh’s challange)2 recorded as cast (physical process e.g., in StarVote) and online
check with BB3 tallied as recorded
Benaloh’s challenge
• Simple Verifiable Elections
1 a voter V makes a choice Vx−→ M
2 a machine M:
1 generates randomness r2 prints encrypted ballot c := Enc(x , r)
3 the voter makes a decision:
Cast then V takes printout as a receipt,M sends c to BB,
Audit M prints r , V verifies, goes to the Step 1
• Properties:
1 cast as intended (Benaloh’s challange)2 recorded as cast (physical process e.g., in StarVote) and online
check with BB3 tallied as recorded
Benaloh’s challenge
• Simple Verifiable Elections
1 a voter V makes a choice Vx−→ M
2 a machine M:
1 generates randomness r
2 prints encrypted ballot c := Enc(x , r)
3 the voter makes a decision:
Cast then V takes printout as a receipt,M sends c to BB,
Audit M prints r , V verifies, goes to the Step 1
• Properties:
1 cast as intended (Benaloh’s challange)2 recorded as cast (physical process e.g., in StarVote) and online
check with BB3 tallied as recorded
Benaloh’s challenge
• Simple Verifiable Elections
1 a voter V makes a choice Vx−→ M
2 a machine M:
1 generates randomness r2 prints encrypted ballot c := Enc(x , r)
3 the voter makes a decision:
Cast then V takes printout as a receipt,M sends c to BB,
Audit M prints r , V verifies, goes to the Step 1
• Properties:
1 cast as intended (Benaloh’s challange)2 recorded as cast (physical process e.g., in StarVote) and online
check with BB3 tallied as recorded
Benaloh’s challenge
• Simple Verifiable Elections
1 a voter V makes a choice Vx−→ M
2 a machine M:
1 generates randomness r2 prints encrypted ballot c := Enc(x , r)
3 the voter makes a decision:
Cast then V takes printout as a receipt,M sends c to BB,
Audit M prints r , V verifies, goes to the Step 1
• Properties:
1 cast as intended (Benaloh’s challange)2 recorded as cast (physical process e.g., in StarVote) and online
check with BB3 tallied as recorded
Benaloh’s challenge
• Simple Verifiable Elections
1 a voter V makes a choice Vx−→ M
2 a machine M:
1 generates randomness r2 prints encrypted ballot c := Enc(x , r)
3 the voter makes a decision:
Cast then V takes printout as a receipt,M sends c to BB,
Audit M prints r , V verifies, goes to the Step 1
• Properties:
1 cast as intended (Benaloh’s challange)2 recorded as cast (physical process e.g., in StarVote) and online
check with BB3 tallied as recorded
Benaloh’s challenge
• Simple Verifiable Elections
1 a voter V makes a choice Vx−→ M
2 a machine M:
1 generates randomness r2 prints encrypted ballot c := Enc(x , r)
3 the voter makes a decision:
Cast then V takes printout as a receipt,M sends c to BB,
Audit M prints r , V verifies, goes to the Step 1
• Properties:
1 cast as intended (Benaloh’s challange)2 recorded as cast (physical process e.g., in StarVote) and online
check with BB3 tallied as recorded
Benaloh’s challenge
• Simple Verifiable Elections
1 a voter V makes a choice Vx−→ M
2 a machine M:
1 generates randomness r2 prints encrypted ballot c := Enc(x , r)
3 the voter makes a decision:
Cast then V takes printout as a receipt,M sends c to BB,
Audit M prints r , V verifies, goes to the Step 1
• Properties:
1 cast as intended (Benaloh’s challange)2 recorded as cast (physical process e.g., in StarVote) and online
check with BB3 tallied as recorded
Benaloh’s challenge
• Simple Verifiable Elections
1 a voter V makes a choice Vx−→ M
2 a machine M:
1 generates randomness r2 prints encrypted ballot c := Enc(x , r)
3 the voter makes a decision:
Cast then V takes printout as a receipt,M sends c to BB,
Audit M prints r , V verifies, goes to the Step 1
• Properties:
1 cast as intended (Benaloh’s challange)
2 recorded as cast (physical process e.g., in StarVote) and onlinecheck with BB
3 tallied as recorded
Benaloh’s challenge
• Simple Verifiable Elections
1 a voter V makes a choice Vx−→ M
2 a machine M:
1 generates randomness r2 prints encrypted ballot c := Enc(x , r)
3 the voter makes a decision:
Cast then V takes printout as a receipt,M sends c to BB,
Audit M prints r , V verifies, goes to the Step 1
• Properties:
1 cast as intended (Benaloh’s challange)2 recorded as cast (physical process e.g., in StarVote) and online
check with BB
3 tallied as recorded
Benaloh’s challenge
• Simple Verifiable Elections
1 a voter V makes a choice Vx−→ M
2 a machine M:
1 generates randomness r2 prints encrypted ballot c := Enc(x , r)
3 the voter makes a decision:
Cast then V takes printout as a receipt,M sends c to BB,
Audit M prints r , V verifies, goes to the Step 1
• Properties:
1 cast as intended (Benaloh’s challange)2 recorded as cast (physical process e.g., in StarVote) and online
check with BB3 tallied as recorded
Helios
• Ben Adida, Helios: Web-based Open-Audit Voting.,USENIX Security Symposium 2008
Apollo
• D. Gawel, M. Kosarzecki, P. Vora, H. Wu, FZ,Apollo–End-to-End Verifiable Internet Voting withRecovery from Vote Manipulation, E-Vote-ID 2016
• Findings: Helios was vulnerable to:
• Cross-Site Scripting (non-persistent) – attacker could executeany arbitrary JavaScript code in the voter’s browser,
• Cross-Site Request Forgery (vulnerable methods: electionedition, adding a trustee and 5 other),
• Clickjacking.
• What happens if a voting booth or a server are dishonest?
• a voting booth casts a different ballot,• a voting booth overwrites cast ballot,• a server overwrites a ballot but does not send email.
• Goal: make Helios great again!
• focus on recorded as cast
Apollo
• D. Gawel, M. Kosarzecki, P. Vora, H. Wu, FZ,Apollo–End-to-End Verifiable Internet Voting withRecovery from Vote Manipulation, E-Vote-ID 2016• Findings: Helios was vulnerable to:
• Cross-Site Scripting (non-persistent) – attacker could executeany arbitrary JavaScript code in the voter’s browser,
• Cross-Site Request Forgery (vulnerable methods: electionedition, adding a trustee and 5 other),
• Clickjacking.
• What happens if a voting booth or a server are dishonest?
• a voting booth casts a different ballot,• a voting booth overwrites cast ballot,• a server overwrites a ballot but does not send email.
• Goal: make Helios great again!
• focus on recorded as cast
Apollo
• D. Gawel, M. Kosarzecki, P. Vora, H. Wu, FZ,Apollo–End-to-End Verifiable Internet Voting withRecovery from Vote Manipulation, E-Vote-ID 2016• Findings: Helios was vulnerable to:
• Cross-Site Scripting (non-persistent) – attacker could executeany arbitrary JavaScript code in the voter’s browser,
• Cross-Site Request Forgery (vulnerable methods: electionedition, adding a trustee and 5 other),
• Clickjacking.
• What happens if a voting booth or a server are dishonest?
• a voting booth casts a different ballot,• a voting booth overwrites cast ballot,• a server overwrites a ballot but does not send email.
• Goal: make Helios great again!
• focus on recorded as cast
Apollo
• D. Gawel, M. Kosarzecki, P. Vora, H. Wu, FZ,Apollo–End-to-End Verifiable Internet Voting withRecovery from Vote Manipulation, E-Vote-ID 2016• Findings: Helios was vulnerable to:
• Cross-Site Scripting (non-persistent) – attacker could executeany arbitrary JavaScript code in the voter’s browser,
• Cross-Site Request Forgery (vulnerable methods: electionedition, adding a trustee and 5 other),
• Clickjacking.
• What happens if a voting booth or a server are dishonest?
• a voting booth casts a different ballot,• a voting booth overwrites cast ballot,• a server overwrites a ballot but does not send email.
• Goal: make Helios great again!
• focus on recorded as cast
Apollo
• D. Gawel, M. Kosarzecki, P. Vora, H. Wu, FZ,Apollo–End-to-End Verifiable Internet Voting withRecovery from Vote Manipulation, E-Vote-ID 2016• Findings: Helios was vulnerable to:
• Cross-Site Scripting (non-persistent) – attacker could executeany arbitrary JavaScript code in the voter’s browser,
• Cross-Site Request Forgery (vulnerable methods: electionedition, adding a trustee and 5 other),
• Clickjacking.
• What happens if a voting booth or a server are dishonest?
• a voting booth casts a different ballot,• a voting booth overwrites cast ballot,• a server overwrites a ballot but does not send email.
• Goal: make Helios great again!
• focus on recorded as cast
Apollo
• D. Gawel, M. Kosarzecki, P. Vora, H. Wu, FZ,Apollo–End-to-End Verifiable Internet Voting withRecovery from Vote Manipulation, E-Vote-ID 2016• Findings: Helios was vulnerable to:
• Cross-Site Scripting (non-persistent) – attacker could executeany arbitrary JavaScript code in the voter’s browser,
• Cross-Site Request Forgery (vulnerable methods: electionedition, adding a trustee and 5 other),
• Clickjacking.
• What happens if a voting booth or a server are dishonest?
• a voting booth casts a different ballot,• a voting booth overwrites cast ballot,• a server overwrites a ballot but does not send email.
• Goal: make Helios great again!
• focus on recorded as cast
Apollo
• D. Gawel, M. Kosarzecki, P. Vora, H. Wu, FZ,Apollo–End-to-End Verifiable Internet Voting withRecovery from Vote Manipulation, E-Vote-ID 2016• Findings: Helios was vulnerable to:
• Cross-Site Scripting (non-persistent) – attacker could executeany arbitrary JavaScript code in the voter’s browser,
• Cross-Site Request Forgery (vulnerable methods: electionedition, adding a trustee and 5 other),
• Clickjacking.
• What happens if a voting booth or a server are dishonest?• a voting booth casts a different ballot,
• a voting booth overwrites cast ballot,• a server overwrites a ballot but does not send email.
• Goal: make Helios great again!
• focus on recorded as cast
Apollo
• D. Gawel, M. Kosarzecki, P. Vora, H. Wu, FZ,Apollo–End-to-End Verifiable Internet Voting withRecovery from Vote Manipulation, E-Vote-ID 2016• Findings: Helios was vulnerable to:
• Cross-Site Scripting (non-persistent) – attacker could executeany arbitrary JavaScript code in the voter’s browser,
• Cross-Site Request Forgery (vulnerable methods: electionedition, adding a trustee and 5 other),
• Clickjacking.
• What happens if a voting booth or a server are dishonest?• a voting booth casts a different ballot,• a voting booth overwrites cast ballot,
• a server overwrites a ballot but does not send email.
• Goal: make Helios great again!
• focus on recorded as cast
Apollo
• D. Gawel, M. Kosarzecki, P. Vora, H. Wu, FZ,Apollo–End-to-End Verifiable Internet Voting withRecovery from Vote Manipulation, E-Vote-ID 2016• Findings: Helios was vulnerable to:
• Cross-Site Scripting (non-persistent) – attacker could executeany arbitrary JavaScript code in the voter’s browser,
• Cross-Site Request Forgery (vulnerable methods: electionedition, adding a trustee and 5 other),
• Clickjacking.
• What happens if a voting booth or a server are dishonest?• a voting booth casts a different ballot,• a voting booth overwrites cast ballot,• a server overwrites a ballot but does not send email.
• Goal: make Helios great again!
• focus on recorded as cast
Apollo
• D. Gawel, M. Kosarzecki, P. Vora, H. Wu, FZ,Apollo–End-to-End Verifiable Internet Voting withRecovery from Vote Manipulation, E-Vote-ID 2016• Findings: Helios was vulnerable to:
• Cross-Site Scripting (non-persistent) – attacker could executeany arbitrary JavaScript code in the voter’s browser,
• Cross-Site Request Forgery (vulnerable methods: electionedition, adding a trustee and 5 other),
• Clickjacking.
• What happens if a voting booth or a server are dishonest?• a voting booth casts a different ballot,• a voting booth overwrites cast ballot,• a server overwrites a ballot but does not send email.
• Goal: make Helios great again!
• focus on recorded as cast
Apollo
• D. Gawel, M. Kosarzecki, P. Vora, H. Wu, FZ,Apollo–End-to-End Verifiable Internet Voting withRecovery from Vote Manipulation, E-Vote-ID 2016• Findings: Helios was vulnerable to:
• Cross-Site Scripting (non-persistent) – attacker could executeany arbitrary JavaScript code in the voter’s browser,
• Cross-Site Request Forgery (vulnerable methods: electionedition, adding a trustee and 5 other),
• Clickjacking.
• What happens if a voting booth or a server are dishonest?• a voting booth casts a different ballot,• a voting booth overwrites cast ballot,• a server overwrites a ballot but does not send email.
• Goal: make Helios great again!• focus on recorded as cast
Helios – dishonest server
ApolloBallot Generation
…
VBVoter
1. Candidate: X
3. Ask for Info
4. SID,
title and ballot
Bulletin Board
2. E
nc[x
,r]
5. Check
PrivApollo
• Apollo introduced voting assistants
• Goal: make voting private• Idea: information about a vote is split between:
• a voting booth (VB),• an active voting assistant (AVA).
PrivApollo
PrivApollo
PrivApollo
PrivApollo
PrivApollo
PrivApollo
PrivApollo
PrivApollo
Encoding/tallying
Each of N cast ballots consists of several encryptions.
• Encryption of the ballot layout (sent by VB to BB )
• List of encrypted inner codes (sent by VB to BB )
• Encryption of inner code (color) selected by the voter (innercode sent by V to AVA, encryption sent by AVA to BB ).
PrivApollo: VoteCodes ReEncryption (Phase 1a)
Input: 〈ballotLayouti , voteCodesi , ci 〉Ni=1 = 〈bLi , vCi , ci 〉Ni=1
1 pick at random σ a permutation of N elements.
2 for each i = 1 . . .N do:
1 select k-element permutations πi,1, πi,22 on input:
bLi = [〈α1, β1〉 , . . . , 〈αk , βk〉];vCi = [〈γ1, δ1〉 , . . . , 〈γk , δk〉];ci .
3 output (for j = 1 . . . k):bLσ(i)[j ] :=
⟨ReEnc(απi,1(j)),ReEnc(βπi,1(j))
⟩;
vCσ(i)[j ] :=⟨ReEnc(γπi,2(j)),ReEnc(δπi,2(j))
⟩;
cσ(i) := ReEnc(ci ).
PrivApollo: VoteCodes ReEncryption (Phase 1a)
Input: 〈ballotLayouti , voteCodesi , ci 〉Ni=1 = 〈bLi , vCi , ci 〉Ni=1
1 pick at random σ a permutation of N elements.
2 for each i = 1 . . .N do:
1 select k-element permutations πi,1, πi,22 on input:
bLi = [〈α1, β1〉 , . . . , 〈αk , βk〉];vCi = [〈γ1, δ1〉 , . . . , 〈γk , δk〉];ci .
3 output (for j = 1 . . . k):bLσ(i)[j ] :=
⟨ReEnc(απi,1(j)),ReEnc(βπi,1(j))
⟩;
vCσ(i)[j ] :=⟨ReEnc(γπi,2(j)),ReEnc(δπi,2(j))
⟩;
cσ(i) := ReEnc(ci ).
PrivApollo: VoteCodes ReEncryption (Phase 1a)
Input: 〈ballotLayouti , voteCodesi , ci 〉Ni=1 = 〈bLi , vCi , ci 〉Ni=1
1 pick at random σ a permutation of N elements.
2 for each i = 1 . . .N do:
1 select k-element permutations πi,1, πi,2
2 on input:bLi = [〈α1, β1〉 , . . . , 〈αk , βk〉];vCi = [〈γ1, δ1〉 , . . . , 〈γk , δk〉];ci .
3 output (for j = 1 . . . k):bLσ(i)[j ] :=
⟨ReEnc(απi,1(j)),ReEnc(βπi,1(j))
⟩;
vCσ(i)[j ] :=⟨ReEnc(γπi,2(j)),ReEnc(δπi,2(j))
⟩;
cσ(i) := ReEnc(ci ).
PrivApollo: VoteCodes ReEncryption (Phase 1a)
Input: 〈ballotLayouti , voteCodesi , ci 〉Ni=1 = 〈bLi , vCi , ci 〉Ni=1
1 pick at random σ a permutation of N elements.
2 for each i = 1 . . .N do:
1 select k-element permutations πi,1, πi,22 on input:
bLi = [〈α1, β1〉 , . . . , 〈αk , βk〉];vCi = [〈γ1, δ1〉 , . . . , 〈γk , δk〉];ci .
3 output (for j = 1 . . . k):bLσ(i)[j ] :=
⟨ReEnc(απi,1(j)),ReEnc(βπi,1(j))
⟩;
vCσ(i)[j ] :=⟨ReEnc(γπi,2(j)),ReEnc(δπi,2(j))
⟩;
cσ(i) := ReEnc(ci ).
PrivApollo: VoteCodes ReEncryption (Phase 1a)
Input: 〈ballotLayouti , voteCodesi , ci 〉Ni=1 = 〈bLi , vCi , ci 〉Ni=1
1 pick at random σ a permutation of N elements.
2 for each i = 1 . . .N do:
1 select k-element permutations πi,1, πi,22 on input:
bLi = [〈α1, β1〉 , . . . , 〈αk , βk〉];vCi = [〈γ1, δ1〉 , . . . , 〈γk , δk〉];ci .
3 output (for j = 1 . . . k):bLσ(i)[j ] :=
⟨ReEnc(απi,1(j)),ReEnc(βπi,1(j))
⟩;
vCσ(i)[j ] :=⟨ReEnc(γπi,2(j)),ReEnc(δπi,2(j))
⟩;
cσ(i) := ReEnc(ci ).
PrivApollo: VoteCodes Decryption (Phase 1b)
Input: 〈ballotLayouti , voteCodesi , ci 〉Ni=1 = 〈bLi , vCi , ci 〉Ni=1
Shared key: Km
1 pick at random σ a permutation of N elements.
2 for each i = 1 . . .N do:
1 select k-element permutations πi,1, πi,22 on input:
bLi = [〈α1, β1〉 , . . . , 〈αk , βk〉];vCi = [〈γ1, δ1〉 , . . . , 〈γk , δk〉];ci .
3 output (for j = 1 . . . k):bLσ(i)[j ] :=
⟨ReEnc(απi,1(j)),ReEnc(βπi,1(j))
⟩;
vCσ(i)[j ] :=⟨ReEnc(γπi,2(j)),DecKm(δπi,2(j))
⟩;
cσ(i) := DecKm(ci ).
PrivApollo: VoteCodes Decryption (Phase 1b)
Input: 〈ballotLayouti , voteCodesi , ci 〉Ni=1 = 〈bLi , vCi , ci 〉Ni=1
Shared key: Km
1 pick at random σ a permutation of N elements.
2 for each i = 1 . . .N do:
1 select k-element permutations πi,1, πi,22 on input:
bLi = [〈α1, β1〉 , . . . , 〈αk , βk〉];vCi = [〈γ1, δ1〉 , . . . , 〈γk , δk〉];ci .
3 output (for j = 1 . . . k):bLσ(i)[j ] :=
⟨ReEnc(απi,1(j)),ReEnc(βπi,1(j))
⟩;
vCσ(i)[j ] :=⟨ReEnc(γπi,2(j)),DecKm(δπi,2(j))
⟩;
cσ(i) := DecKm(ci ).
PrivApollo: VoteCodes Decryption (Phase 1b)
Input: 〈ballotLayouti , voteCodesi , ci 〉Ni=1 = 〈bLi , vCi , ci 〉Ni=1
Shared key: Km
1 pick at random σ a permutation of N elements.
2 for each i = 1 . . .N do:
1 select k-element permutations πi,1, πi,2
2 on input:bLi = [〈α1, β1〉 , . . . , 〈αk , βk〉];vCi = [〈γ1, δ1〉 , . . . , 〈γk , δk〉];ci .
3 output (for j = 1 . . . k):bLσ(i)[j ] :=
⟨ReEnc(απi,1(j)),ReEnc(βπi,1(j))
⟩;
vCσ(i)[j ] :=⟨ReEnc(γπi,2(j)),DecKm(δπi,2(j))
⟩;
cσ(i) := DecKm(ci ).
PrivApollo: VoteCodes Decryption (Phase 1b)
Input: 〈ballotLayouti , voteCodesi , ci 〉Ni=1 = 〈bLi , vCi , ci 〉Ni=1
Shared key: Km
1 pick at random σ a permutation of N elements.
2 for each i = 1 . . .N do:
1 select k-element permutations πi,1, πi,22 on input:
bLi = [〈α1, β1〉 , . . . , 〈αk , βk〉];vCi = [〈γ1, δ1〉 , . . . , 〈γk , δk〉];ci .
3 output (for j = 1 . . . k):bLσ(i)[j ] :=
⟨ReEnc(απi,1(j)),ReEnc(βπi,1(j))
⟩;
vCσ(i)[j ] :=⟨ReEnc(γπi,2(j)),DecKm(δπi,2(j))
⟩;
cσ(i) := DecKm(ci ).
PrivApollo: VoteCodes Decryption (Phase 1b)
Input: 〈ballotLayouti , voteCodesi , ci 〉Ni=1 = 〈bLi , vCi , ci 〉Ni=1
Shared key: Km
1 pick at random σ a permutation of N elements.
2 for each i = 1 . . .N do:
1 select k-element permutations πi,1, πi,22 on input:
bLi = [〈α1, β1〉 , . . . , 〈αk , βk〉];vCi = [〈γ1, δ1〉 , . . . , 〈γk , δk〉];ci .
3 output (for j = 1 . . . k):bLσ(i)[j ] :=
⟨ReEnc(απi,1(j)),ReEnc(βπi,1(j))
⟩;
vCσ(i)[j ] :=⟨ReEnc(γπi,2(j)),DecKm(δπi,2(j))
⟩;
cσ(i) := DecKm(ci ).
Conclusions
• PrivApollo – a fully electronic scheme that is end-to-end voterverifiable,
• Provides ballot secrecy from the devices used to cast a ballot.
• The privacy property holds if the Voting Booth does notcollude with the Active Voting Assistant.
• Integrity is achieved as long as at least one Voting Assistantused by the Voter is honest.
• We presented 3 aproaches of encoding, each with differentsecurity guaranties and usability properties (issues).